From 9a12b962e905527c6bee5f01b4b7f16a91a83ce6 Mon Sep 17 00:00:00 2001 From: tooson Date: Tue, 12 May 2026 14:23:12 +0900 Subject: [PATCH] Add informational advisory for lru panic safety issue --- crates/lru/RUSTSEC-0000-0000.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 crates/lru/RUSTSEC-0000-0000.md diff --git a/crates/lru/RUSTSEC-0000-0000.md b/crates/lru/RUSTSEC-0000-0000.md new file mode 100644 index 0000000000..a60422a79d --- /dev/null +++ b/crates/lru/RUSTSEC-0000-0000.md @@ -0,0 +1,29 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "lru" +date = "2026-05-12" +categories = ["code-execution", "memory-corruption"] +keywords = ["panic-safety", "memory-safety", "use-after-free", "double-free"] +informational = "unsound" + +[versions] +patched = [] +unaffected = [] +``` + +# Potential use-after-free due to lack of panic safety in `LruCache::pop()` + +`LruCache::pop()` in `lru` was not panic-safe. If the `Drop` implementation of a stored key panics during `pop()`, `self.detach()` is never called, leaving dangling pointers in the internal doubly-linked list. + +A subsequent cache operation that triggers eviction can then dereference these dangling pointers: +- The node is freed from the map, but remains linked in the LRU list due to the skipped `detach()` call +- When a new insertion causes eviction, the LRU traversal encounters the dangling pointer +- This results in a write to already-freed memory during the eviction process + +## Impact + +- **CWE-416 (Use-After-Free):** memory corruption when subsequent cache operations access freed node pointers in the linked list +- **CWE-415 (Double Free):** potential heap corruption when the same memory is freed multiple times + +Both types of undefined behavior can be invoked in safe Rust, but only if unwinding panics are enabled and `std::panic::catch_unwind` is used with key types that have potentially-panicking `Drop` implementations.